This section describes the roles and permissions associated with CxSAST / CxOSA that are effective after performing the data migration procedure and upgrading to CxSAST/CxOSA v9.0.0 and up.
The following table lists the predefined roles that are provided for CxSAST / CxOSA v9.0.0 and up, along with their respective permissions:
Provided roles cannot be updated or deleted. |
| Provided Roles for CxSAST / CxOSA | Description | Permissions per Role |
|---|---|---|
| Scanner | Permissions to create and manage projects, and run scans | save-sast-scan save-osa-scan open-issue-tracking-tickets save-project create-project view-failed-sast-scan download-scan-log see-support-link |
Reviewer | Read-only permissions to view scan results and generate reports | manage-result-comment manage-data-analysis-templates generate-scan-report export-scan-results see-support-link |
Auditor | Permissions to manage vulnerability queries and use CxAudit | use-cxaudit create-preset update-and-delete-preset manage-custom-description save-sast-scan save-project |
| Results Updater | Permissions to update the properties of scan results | manage-results-state-and-assignee manage-result-comment manage-result-severity |
Results Verifier | Permissions to set the state of scan results to "Not Exploitable" | manage-result-exploitability set-result-state-notexploitable set-result-state-toverify set-result-state-confirmed set-result-state-urgent set-result-state-proposednotexploitable |
Data Cleaner | Permissions to delete projects and scans | delete-sast-scan delete-project |
SAST Admin | Full permissions | All SAST permissions, excluding use-cxaudit |
| Access Control Manager | Manages users, authentication and system settings | *See footnote below this table. |
| Admin | Checkmarx products global administrator | *See footnote below this table. |
| User Manager | Manages the users in the system | *See footnote below this table. |
| Security Risk Manager | Grants permissions to manage the security risk at scale, manage policies, KPIs, business applications, weights, and more. | **See footnote below this table. |
| Security Risk Viewer | Grants permissions to track the security risk, and view policy violations and KPIs. | **See footnote below this table. |
*These permissions are coming from Access Control.
**These permissions are coming from M&O.
The following table describes the permissions associated with CxSAST / CxOSA v9.0.0 and up:
| Permission | Category | Description |
|---|---|---|
| manage-authentication-providers | General/Access Control | Manage authentication providers |
| manage-clients | General/Access Control | Manage clients and their settings |
| manage-roles | General/Access Control | Manage custom roles |
| manage-system-settings | General/Access Control | Manage general system settings |
| manage-users | General/Access Control | Manage Users |
save-sast-scan | Projects & Scans |
|
delete-sast-scan | Projects & Scans |
|
save-project | Projects & Scans |
|
delete-project | Projects & Scans | Delete project |
view-failed-sast-scan | Projects & Scans | View faild scans |
save-osa-scan | Projects & Scans | Run CxOSA scan |
| download-scan-log | Projects & Scans | Download scan log |
manage-result-state-and-assignee | Scan Results |
|
manage-result-comment | Scan Results | Add new result comment |
manage-result-exploitability | Scan Results | Set result state to NE (all other states will be available as well) |
manage-result-severity | Scan Results | Change result severity |
open-issue-tracking-tickets | Scan Results | Create ticket for result |
manage-data-analysis-templates | Reports | create and delete templates |
generate-scan-report | Reports | Generate scan reports |
| export-scan-results | Reports | Export to CSV from the results viewer |
manage-custom-description | Vulnerability Queries | Manage custom query descriptions (create, export and import) |
create-preset | Vulnerability Queries | Create a new preset, save it, update it, delete it |
| manage-queries | Vulnerability Queries | Created and manage queries customization in the CxAudit |
update-and-delete-preset | Vulnerability Queries | Edit and delete all presets (including Cx out-of-the-box presets) |
| use-cxaudit | Vulnerability Queries | Login to CxAudit Note: This permission is counted against the license. |
manage-data-retention | System Configuration | Manage data retention |
manage-engine-servers | System Configuration | Manage engine servers |
manage-system-settings | System Configuration |
|
manage-external-services-settings | System Configuration | Configure external service settings |
manage-custom-fields | System Configuration | Create/update/delete custom fields |
manage-issue-tracking-systems | System Configuration | Manage issue-tracking system |
manage-pre-post-scan-actions | System Configuration | Configure pre- and post-scan actions |
| download-system-logs | System Configuration | View installation details page Download application logs Note: only available from 9.0 HF1 |
| view-appsec-coach-statistics | System Configuration | Ability to set the Codebashing integration |
use-odata | API | Fetch all data via OData API (no filter per current user's team) |
| see-support-link | Other | View and use "Services & Support" button |
| view-results | Scan Results | This permission separates the view-results ability from any other permission. This is added to any predefined role and is available from CxSAST 9.0 HF5 |
| manage-global-policies-settings | Security Risk Management | Manage Global Policies Settings |
| manage-policies | Security Risk Management | Manage Policies |
| manage-remediation-intelligence | Security Risk Management | Manage Remediation Intelligence |
| view-analytics | Security Risk Management | View Analytics |
The following permissions are required to open the following CxSAST / CxOSA user interface screens.
| UI Screen | Required permission to open the screen |
|---|---|
| Dashboard/Project state | - |
| Dashboard/Failed scans | view-failed-sast-scan |
| Dashboard/Utilization | manage-system-settings |
| Dashboard/Risk | - |
| Dashboard/Data Analysis | |
| Projects & Scans/Create new project | |
| Projects & Scans/Queue | |
| Projects & Scans/Projects | - |
| Projects & Scans/All scans | - |
| Management/Scan settings/Query viewer | - |
| Management/Scan settings/Preset manager | - |
| Management/Scan settings/Pre-post actions | manage-pre-post-scan-actions |
| Management/Scan settings/Source control users | manage-system-settings |
| Management/Application settings/General | manage-system-settings |
| Management/Application settings/License | manage-system-settings |
| Management/Application settings/OSA settings | manage-system-settings |
| Management/Application settings/Installation | manage-system-settings |
| Management/Application settings/External services | manage-external-services-settings |
| Management/Application settings/Engine management | manage-engine-servers |
| Management/Application settings/Data retention | manage-data-retention |
| Management/Application settings/Issue tracking | manage-issue-tracking-systems |
| Management/Manage custom fields | manage-custom-fields |
| Access Control | manage-users (AC permission) |
| M&O/Analytics | view-analytics (M&O permission) |
| M&O/Remediation Intelligence | (M&O permission) |
| M&O/Policy Violations | - |
| M&O/Policy Manager | - |
| My Profile | - |
| Services & Support | see-support-link |
.